证书x509扩展
[英]Certificate x509 Extensions
问题描述
I have some closed application works as HTTP server which uses SSL. 
我有一些封闭的应用程序用作使用SSL的HTTP服务器。 I would like to swap certs but from some reason my self-signed one is rejected and server does not send server hello (I got 104 error). 我想交换证书,但是由于某种原因我的自签名证书被拒绝并且服务器不发送服务器问候(我收到104错误)。 Anybody knows what's the difference between them to and what could be the problem? 谁知道它们之间有什么区别,可能是什么问题? Btw. 顺便说一句。 There are also some CAs but I don't think it does matter because without them server sends back its cert as well. 也有一些CA,但我认为这并不重要,因为没有它们,服务器也会发回其证书。 I try to generate my cert using: 我尝试使用以下方法生成我的证书:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 360 openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 360
My cert: 我的证书:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e7:ee:93:5d:78:65:56:ad
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=(...), CN=(...)
Validity
Not Before: Apr 23 17:58:29 2014 GMT
Not After : Apr 18 17:58:29 2015 GMT
Subject: O=(...), CN=(...)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
(...)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
31:CD:5A:41:C0:64:DD:C4:96:30:AB:E2:99:9F:2D:40
X509v3 Authority Key Identifier:
keyid:31:CD:5A:41:C0:64:DD:C4:96:30:AB:E2:99:9F
1
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
(...)
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----
The oryginal cert: 原始证书:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1284084212 (0x4c8991f4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=(...), CN=(...)
Validity
Not Before: Apr 23 17:58:29 2014 GMT
Not After : Apr 18 17:58:29 2015 GMT
Subject: CN=(...).com, O=(...)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
(...)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Certificate Policies:
Policy: (...)
X509v3 Subject Alternative Name:
DNS:(...).com
X509v3 Authority Key Identifier:
keyid:(...)
X509v3 Subject Key Identifier:
(...)
Signature Algorithm: sha256WithRSAEncryption
(...)
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----
2 个解决方案
解决方案1
0 2014-04-23 19:09:50
If I understand how ssl works here is what happends: previously you had a server with certificate signed by some authority, which your browser trusts. 如果我了解ssl的工作原理,那就是发生了什么:以前,您有一台服务器,该服务器的证书由某些浏览器信任,并由某些机构签名。 Even though it has no internet connection when you try to access url on your server with https://..., browser checks a server's certificate, hey, it signed with ca, which I trust, so we're good to go. 即使当您尝试使用https:// ...访问服务器上的URL时,它没有Internet连接,浏览器也会检查服务器的证书,嘿,它是用ca签名的,我相信,所以我们很高兴。 But this is not longer the case. 但这不再是事实了。 How to make your client trust self-signed certificate depends on who the client is: browser, mobile application, whatever. 如何使您的客户端信任自签名证书取决于客户端是谁:浏览器,移动应用程序等等。 If it's browser, check it's settings. 如果是浏览器,请检查其设置。 Note: The fact that server doesn't have internet connection doesn't mean that certificate was signed by some local CA since list of some default globally trusted CA are preconfigured in browser's settings. 注意:服务器没有互联网连接的事实并不意味着证书是由某些本地CA签名的,因为一些默认的全局受信任CA的列表是在浏览器的设置中预先配置的。
解决方案2
0 2014-04-23 19:18:48
The following extensions are necessary, but seem to be missing: 以下扩展名是必需的,但似乎缺少:
- Key Usage: critical, keyEncipherment (maybe digitalSignature too?) 密钥用法:关键,keyEncipherment(也许也是数字签名?)
- Extended Key Usage: serverAuth 扩展密钥用法:serverAuth
- maybe: Netscape Cert Type: server 也许:Netscape证书类型:服务器
Also, the CN should match the hostname (or subject alternative names matches host name). 另外,CN应该与主机名匹配(或主题备用名称与主机名匹配)。 And of course, because the certificate is self-signed you have to explicitly add a trust to the client. 当然,由于证书是自签名的,因此您必须向客户端明确添加信任。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.